GAO says NASA has been successfully hit by cyber attacks 1,120 times in the past two years and significant holes still remain

While NASA may be focused on keeping its manned space flight plans intact, apparently it has seriously neglected the security of its networks.

Watchdogs at the Government Accountability Office issued a 53-page report pretty much ripping the space agency’s network security strategy stating that NASA has significant problems protecting the confidentiality, integrity, and availability of the information and variety of networks supporting its mission centers.

Specifically, NASA did not consistently implement effective controls to prevent, limit, and detect unauthorized access to its networks and systems. The GAO said NASA did not identify and authenticate users; restrict user access to systems; encrypt network services and data; protect network boundaries; and t and monitor computer-related events. The GAO said NASA networks and systems have been successfully targeted by cyber attacks 1,120 times in the past two years. All of this despite the fact that the agency’s IT budget in fiscal year 2009 was $1.6 billion, of which $15 million was dedicated to IT security, the GAO stated.

Because NASA’s high profile and cutting edge technology makes it an attractive target for hackers seeking recognition, or for nation-state sponsored cyber spying. Thus, it is vital that attacks on NASA computer systems and networks are detected, resolved, and reported in a timely fashion and that the agency has effective security controls in place to minimize its vulnerability to such attacks, the GAO stated.

The agency relies on computer networks and systems to collect, access, or process a significant amount of data that requires protection, including data considered mission-critical, proprietary, and/or sensitive but unclassified information. For example, the agency-wide system controlling physical access to NASA facilities stores personally identifiable information such as fingerprints, Social Security numbers, and pay grades.

In addition an application for storing and sharing data such as computer-aided design and electrical drawings, and engineering documentation for Ares launch vehicles is being used by 7 agency data centers at 11 locations. Accordingly, effective information security controls are essential to ensuring that sensitive information is adequately protected from inadvertent or deliberate misuse, fraudulent use, improper disclosure or manipulation, and destruction, the GAO stated.

Some of the issues the GAO found included:

• One center reported the theft of a laptop containing data subject to International Traffic in Arms Regulations. Stolen data included roughly 3,000 files of unencrypted International Traffic in Arms Regulations data with information for Hypersonic Wind Tunnel testing for the X-51 scramjet project and possibly personally identifiable information. Another center reported the theft of a laptop containing thermal models, review documentation, test plans, test reports, and requirements documents pertaining to NASA’s Lunar Reconnaissance Orbiter and James Webb Space Telescope projects. The incident report does not indicate whether this lost data was unencrypted or encrypted or how the incident was resolved. Significantly, these were not isolated incidents since NASA reported 209 incidents of unauthorized access to US-CERT during fiscal years 2007 and 2008.

• NASA did not configure certain systems and networks at two centers to have complex passwords. Specifically, these systems and networks did not always require users to create long passwords. In addition, users did not need passwords to access certain network devices. Furthermore, encrypted password and network configuration files were not adequately protected, and passwords were not encrypted. As a result, increased risk exists that a malicious individual could guess or otherwise obtain user identification and passwords to gain network access to NASA systems and sensitive data.

• Although NASA has implemented cryptography, it was not always sufficient or used in transmitting sensitive information. For example, NASA centers did not always employ a robust encryption algorithm that complied with federal standards to encrypt sensitive information. The three centers we reviewed neither used encryption to protect certain network management connections, nor did they require encryption for authentication to certain internal services. Instead, the centers used unencrypted protocols to manage network devices, such as routers and switches.

• Although NASA had employed controls to segregate sensitive areas of its networks and protect them from intrusion, it did not always adequately control the logical and physical boundaries protecting its information and systems. For example, NASA centers did not adequately protect their workstations and laptops from intrusions through the use of host-based firewalls. Furthermore, firewalls at the centers did not provide adequate protection for the organization’s networks, since they could be bypassed. In addition, the three centers had an e-mail server that allowed spoofed e-mail messages and potentially harmful attachments to be delivered to NASA. As a result, the hosts on these system networks were at increased risk of compromise or disruption from the other lower security networks.

• One center was alerted by the NASA SOC in February 2009 about traffic associated with a Seneka Rootkit Bot.22 In this case, NASA found that 82 NASA devices had been communicating with a malicious server since January 2009. A review of the data revealed that most of these devices were communicating with a server in the Ukraine. By March 2009, three centers were also infected with the bot attack.

The issues collectively increase the risk of unauthorized access to NASA’s sensitive information, as well as inadvertent or deliberate disruption of its system operations and services, the GAO stated. They make it possible for intruders, as well as government and contractor employees, to bypass or disable computer access controls and undertake a wide variety of inappropriate or malicious acts. As a result, increased and unnecessary risk exists that sensitive information is subject to unauthorized disclosure, modification, and destruction and that mission operations could be disrupted, the GAO stated.

In the end the GAO made eight recommended actions for he NASAA CIO to make including building and implementing comprehensive and physical risk assessments that include mission-related systems and applications and known vulnerabilities identified in the security plans and waivers. The GAO also said to implement an adequate incident detection program to include a consistent definition of an incident, incident roles and responsibilities, resources to operate the program, and business impacts of the incidents.

In response to the GAO report NASA in written comments concurred with the GAO’s recommendations and noted that many of the recommendations are currently being implemented as part of an ongoing strategic effort to improve information technology management and IT security program deficiencies. Although the IT security posture at NASA has significantly improved over the last three years, NASA recognizes there are still significant gaps that will require increased management attention and more time to alleviate, NASA stated.

The GAO doesn’t like a whole lot it sees at NASA. Just last month it issued another harsh report on the future of the manned space flight program.

NASA is still struggling to develop a solid business case--including firm requirements, mature technologies, a knowledge-based acquisition strategy, a realistic cost estimate, and sufficient funding and time--needed to justify moving the Constellation program, which includes the two main spaceflight components, the Ares I Crew Launch Vehicle and the Orion Crew Exploration Vehicle, forward into the implementation phase, the GAO stated.

The GAO cites significant technical and design challenges for the Orion and Ares I vehicles, such as limiting vibration during launch, eliminating the risk of hitting the launch tower during lift off, and reducing the weight of the Orion vehicle that must be overcome in order to meet safety and performance requirements.

The GAO went on to say poorly phased funding that runs the risk of funding shortfalls in fiscal years 2009 through 2012, resulting in planned work not being completed to support schedules and milestones. The overall approach has limited NASA's ability to mitigate technical risks early in development and precludes the orderly ramp up of workforce and developmental activities, the GAO stated.

Of course the GAO isn’t the only group that has doubts about the future of manned space flight. The Review of United States Human Space Flight Plan Committee said in its preliminary report on the future of NASA said: '[NASA] is perpetuating the perilous practice of pursuing goals that do not match allocated resources. Space operations are among the most complex and unforgiving pursuits ever undertaken by humans. It really is rocket science. Space operations become all the more difficult when means do not match aspirations," that report stated.

Cooney is an Online News Editor and the author of the Layer 8 blog, Network World's daily home for the not-just-networking news. He has been working with Network World since 1992. You can reach him at mcooney@nww.com.